Archive

Archive for October, 2011

How to enable audit sys users (sys/sysdba/sysopr) operations

October 14, 2011 1 comment

1. Create /var/log/audit.log by root

# touch /var/log/audit.log

2.  Add following entry into /etc/syslog.conf (Notice, the space between “local0.warning” and “/var/log/audit.log” must be “tab”)

local0.warning                                  /var/log/audit.log

3. Restart syslogd

$ ps -ef|grep syslog
root   501     1   0   Aug 11 ?           0:29 /usr/sbin/syslogd
oracle  5140  5132   0 10:52:44 pts/1       0:00 grep syslog
$ kill -HUP 501

4. Login database as sysdba

SQL> show parameter audit

NAME                                 TYPE        VALUE
———————————— ———– ——————————
audit_file_dest                      string      /opt/oracle/admin/gisdb/adump
audit_sys_operations                 boolean     TRUE <– Set the from false to true
audit_syslog_level                   string      LOCAL0.WARNING <– Set from default to “local0.warning”
audit_trail                          string      DB_EXTENDED <– Set from default to (OS, extended,xml or db_extended)

 

5. Restart the database

6. Verify the auditing by looking the audit.log. Normally, you can see matter as below.

Oct 14 10:43:20 ldg1 Oracle Audit[5088]: [ID 748625 local0.warning] LENGTH : ‘170’ ACTION :[17] ‘select * from tab’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1’ STATUS:[1] ‘0’ DBID:[10] ‘2989302927’
Oct 14 10:47:05 ldg1 Oracle Audit[5088]: [ID 748625 local0.warning] LENGTH : ‘443’ ACTION :[289] ‘SELECT NAME NAME_COL_PLUS_SHOW_PARAM,DECODE(TYPE,1,’boolean’,2,’string’,3,’integer’,4,’file’,5,’number’,        6,’big integer’, ‘unknown’) TYPE,DISPLAY_VALUE VALUE_COL_PLUS_SHOW_PARAM FROM V$PARAMETER WHERE UPPER(NAME) LIKE UPPER(:NMBIND_SHOW_OBJ) ORDER BY NAME_COL_PLUS_SHOW_PARAM,ROWNUM’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1’ STATUS:[1] ‘0’ DBID:[10] ‘2989302927’
Oct 14 10:53:37 ldg1 Oracle Audit[5147]: [ID 748625 local0.warning] LENGTH : ‘159’ ACTION :[7] ‘CONNECT’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1’ STATUS:[1] ‘0’ DBID:[10] ‘2989302927’
Oct 14 10:53:37 ldg1 Oracle Audit[5147]: [ID 748625 local0.warning] LENGTH : ‘158’ ACTION :[6] ‘COMMIT’ DATABASE USER:[1] ‘/’ PRIVILEGE :[6] ‘SYSDBA’ CLIENT USER:[6] ‘oracle’ CLIENT TERMINAL:[5] ‘pts/1’ STATUS:[1] ‘0’ DBID:[10] ‘2989302927’

 

Categories: Audit Tags: